Greetings SPDX Community,
I just finished a proof of concept utility which translates an SPDX document in any of the supported formats (JSON, YAML, RDF/XML, tag/value) into a JSON report produced by the Open Source Vulnerabilities service <https://osv.dev/> . The project home page is on Github at goneall/spdx-to-osv <https://github.com/goneall/spdx-to-osv> . The runtime can be downloaded from the release page <https://github.com/goneall/spdx-to-osv/releases> . If you are looking for an example file with some known vulnerabilities, you can use one of the test SPDX files <https://github.com/goneall/spdx-to-osv/blob/main/test-resources/spdx-test-e xternalref.json> from the repo. My primary motivation for writing the utility was to understand any deficiencies in the SPDX spec when it came to correlating vulnerabilities. Based on this experience, I came to two conclusions relative to the SPDX 2.2 spec: * It is pretty straightforward to translate External Refs/References (not to be confused with External Document References) into a format consumable by vulnerability databases. The biggest challenge was parsing CPE's (one of the External Ref formats). Fortunately, Steve Springett wrote an excellent Java based CPE parser and open sourced it under the Apache-2.0 license which is used by this utility. * Package URL's (PURLs) seem to be an increasingly standardize package identification format - something we plan on promoting to a first class package property in SPDX 3.0. Many of the external refs are converted to PURL in the utility. It turns out that most external refs can be translated to purls in a lossless fashion. A few interesting features: * There is an external ref parser the converts SPDX external refs into a format which can be consumed by OSV. This parser may also be useful in other use cases. * There is a Java API which interfaces to the OSV rest API. * There is a download location parser which looks for patterns that gives hints for package name and versions. Feel free to file any issues you find in the repo issues page <https://github.com/goneall/spdx-to-osv/issues> . If you think this might be useful for the SPDX community, I can transfer it to the SPDX repo. Regards, Gary ------------------------------------------------- Gary O'Neall Principal Consultant Source Auditor Inc. Mobile: 408.805.0586 Email: <mailto:[email protected]> [email protected] CONFIDENTIALITY NOTE: The information transmitted, including attachments, is intended only for the person(s) or entity to which it is addressed and may contain confidential and/or privileged material. Any review, re-transmission, dissemination or other use of, or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and destroy any copies of this information. -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#4301): https://lists.spdx.org/g/Spdx-tech/message/4301 Mute This Topic: https://lists.spdx.org/mt/87969246/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
